Access restrictions

Hi all,

I'm a new ZenPhoto user and have 2 questions:

First, I want to have an depended user access restriction, let me explain: I want that each user have a different access at different albums. I'll give access or not to users. For example: User A have access to album 1 and 2, User B access to album 1, user C to album 3, etc.. Is that possible?

The other think that I notticed is that there is a "security" problem. Let say that album "Private" is protected by a password. If someone have the direct URL to an image ".../albums/private/xxx.jpg", he just have to remove xxx.jpg and he's allowed to navigate trouhgt all the directories! That isn't off course the goal of a protected folder. Did I miss something (parameters..)?

FYI, I'm hosted by OVH.

Thanks in advance,

Michael

Comments

  • acrylian Administrator
    1. Please read:
    http://www.zenphoto.org/2008/07/an-overview-of-zenphoto-users/
    http://www.zenphoto.org/2009/03/troubleshooting-zenphoto/#46

    2. Neither a bug nor a real security. Zenphoto can't directly protect folders on the server. A password protection only protects the script access to an album which is not directly the folder. Difference full image in /albums and the sized image displayed on the theme from /cache which is created from the full iamge. See:
    http://www.zenphoto.org/2009/03/troubleshooting-zenphoto/#4

    This is actually a matter of file/folder permissions which Zenphoto's setup tries to set properly on installing and additional possible .htaccess usage.
    http://www.zenphoto.org/2009/03/troubleshooting-zenphoto/#29
    http://www.zenphoto.org/2009/03/troubleshooting-zenphoto/#39

    You probably also should ask your host to disable directory listing on your server, then no one will be able to move through directories directly.
  • Hi acrylian,

    Thanks for your fast and complete response.

    For the 2nd point, there's no problem but for the 1st, I can't really understand the phylosophy ?! Can you maybe explain me in your own words? What the "album password" stand for?
  • acrylian Administrator
    The password protects the access via the page on the front end, the desctiption, tags or whatever other info you have added. It can't protect the real folder itself, that is the task of the server itself. As explained on the links it is possible to move this /albums folder out of the accessible root of the installation (drawback is multimedia files do not work then).

    Zenphoto takes the full images and foremost generates thet cached ones like thumbs and the sized image on the image page, however most themes do access the full image via a colorbox from. You can easily disable that on the theme code if you have a little html knowledge.
Sign In or Register to comment.